Professional Documents
Culture Documents
W2KGuides@nsa.gov
UNCLASSIFIED
UNCLASSIFIED
ii
UNCLASSIFIED
UNCLASSIFIED
Disclaimer
Disclaimer
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL THE NATIONAL SECURITY AGENCY OR ANY
AGENT OR REPRESENTATIVE THEREOF BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION),
HOWEVER CAUSED UNDER ANY THEORY OF LIABILITY, ARISING IN ANY WAY
OUT OF THE USE OF OR INABILITY TO MAKE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
iii
UNCLASSIFIED
UNCLASSIFIED
iv
UNCLASSIFIED
UNCLASSIFIED
Acknowledgements
Acknowledgements
The author would like to acknowledge the authors of the “Guide to Implementing
Windows NT in Secure Network Environments” and the “Guide to Securing Microsoft
Windows NT Networks” versions 2.0, 2.1, and 3.0, 4.0, and 4.1.
The author acknowledges Michael Samsel for his development of the Enhanced
Password DLL included with this guide.
The author would also like to thank Paul Bartock, Neal Ziring, Edward Wojciechowski,
and Kim Downin, along with the many others involved in reviewing this document. Your
comments and suggestions were invaluable.
Some parts of this document were drawn from Microsoft copyright materials with their
permission.
v
UNCLASSIFIED
UNCLASSIFIED
Trademark Information
Trademark Information
Microsoft, MS-DOS, Windows, Windows 2000, Windows NT, Windows 98, Windows 95,
Windows for Workgroups, and Windows 3.1 are either registered trademarks or
trademarks of Microsoft Corporation in the U.S.A. and other countries.
All other names are registered trademarks or trademarks of their respective companies.
vi
UNCLASSIFIED
UNCLASSIFIED
Table of Contents
Table of Contents
Disclaimer ................................................................................................................................................... iii
Acknowledgements .................................................................................................................................... v
Trademark Information.............................................................................................................................. vi
Table of Tables............................................................................................................................................ x
vii
UNCLASSIFIED
UNCLASSIFIED
Chapter 6 Managing Restricted Groups with Security Templates....................................................... 57
Modifying Restricted Groups via the Security Templates Snap-in.......................................................... 57
Table of Contents
Chapter 9 Modifying File System Security Settings with Security Templates ................................... 73
File and folder permissions ..................................................................................................................... 73
Modifying File System settings via the Security Template snap-in ......................................................... 76
Recommended File and Folder Permissions .......................................................................................... 78
Appendix B References............................................................................................................................ 96
viii
UNCLASSIFIED
UNCLASSIFIED
Table of Figures
Table of Figures
Figure 2 Password Policy Recommended Settings..............................................................................24
Figure 3 Recommended User Rights ...................................................................................................29
Figure 4 System Services .....................................................................................................................60
Figure 5 Advanced Registry Permissions Dialog Box ..........................................................................66
Figure 6 File/Folder Permission Inheritance Options ...........................................................................79
Figure 7 Configuration File Selection....................................................................................................89
Figure 8 Results of a Security Analysis ................................................................................................92
ix
UNCLASSIFIED
UNCLASSIFIED
Table of Tables
Table of Tables
x
UNCLASSIFIED
UNCLASSIFIED
Chapter
Chapter 1 - Important
Information on Using
this Guide
Important Information on Using this Guide
The purpose of this document is to inform the reader about the Windows 2000 Security
Configuration Tool Set’s capabilities and recommended security settings that can be
configured via the tool set. This document represents only a portion of Group Policy
security-related issues. Additional security information on Group Policy Objects
(GPOs) is addressed in the Guide to Securing Microsoft Windows 2000 Group
Policy, which should be read prior to reading this document.
Included with this document are four security templates: W2K DC.inf, W2K
Workstation.inf, W2K Server.inf, and W2K Domain Policy.inf. The
purpose and use of these templates will be discussed later in this document.
This document is intended for Windows 2000 network administrators, but should be read
by anyone involved or interested in Windows 2000 or network security.
Assumptions
The following essential assumptions have been made to limit the scope of this document:
The network consists only of machines running Microsoft Windows 2000 clean-
installed machines (i.e., not upgraded).
The latest Windows 2000 service pack and hotfixes have been installed. For
further information on critical Windows 2000 updates, see the Windows Update
for Windows 2000 web page http://windowsupdate.microsoft.com or search for
security hotfixes by service pack at the Technet Security Bulletin Search
http://www.microsoft.com/technet/security/current.asp.
All network machines are Intel-based architecture.
Applications are Windows 2000 compatible.
Users of this guide have a working knowledge of Windows 2000 installation and
basic system administration skills.
The user should read and agree with the following warnings/caveats prior to configuring a
network with this guide’s recommendations:
Do not attempt to install any of the settings in this guide without first
testing in a non-operational environment.
This document is only a guide containing recommended security settings. It is
not meant to replace well-structured policy or sound judgment. Furthermore, this
guide does not address site-specific configuration issues. Care must be taken
when implementing this guide while using products such as Microsoft Exchange,
IIS, and SMS.
11
UNCLASSIFIED
UNCLASSIFIED
The security changes described in this document only apply to Microsoft
Windows 2000 systems and should not be applied to any other Windows 2000
Chapter 1 - Important
Information on Using
For permissions on Windows 2000 workstations and member servers, Microsoft now
makes wide use of the Users group. The Users group by default contains the
Authenticated Users group and INTERACTIVE user (along with Domain Users for a
domain machine). Membership in Users can be controlled by administrators, which is
Microsoft’s reasoning for using this group in access control lists. Looking at the default
security templates for workstations and member servers (see the next chapter for
information on these templates), the Users group is used in file and registry permissions
as well as user rights assignment.
However, Microsoft uses the built-in Authenticated Users group to assign permissions on
domain controllers. Out-of-the-box domain controller security templates replace Users
with Authenticated Users.
This guide has chosen to follow Microsoft’s convention. No security should be lost if you
choose to replace the Users group with the Authenticated Users group on workstations
and member servers.
System Variables
%SystemRoot% - The folder containing the Windows 2000 operating system files.
This is usually %SystemDrive%\winnt.
%SystemDirectory% - %SystemRoot%\system32
12
UNCLASSIFIED
UNCLASSIFIED
%ProgramFiles% - Folder in which most applications are installed. This is usually
%SystemDrive%\Program Files.
Chapter 1 - Important
Information on Using
About the Guide to Securing Microsoft Windows 2000: Security
this Guide
Configuration Tool Set
13
UNCLASSIFIED
UNCLASSIFIED
Comments
Chapter 1 - Important
Information on Using
14
UNCLASSIFIED
UNCLASSIFIED
Chapter
Local Policies – includes Audit Policy, User Rights Assignment, and Security
Options
File System – includes NTFS file and folder DACLs (i.e., file and folder
permissions)
Chapters 3 – 9 describe recommended settings and how to customize the templates, and
Chapter 10 describes how to conduct a security analysis and configuration.
For more detailed information on the Security Configuration Tool Set, refer to the Step by
Step Guide to Using the Security Configuration Toolset
http://www.microsoft.com/windows2000/techinfo/planning/security/secconfsteps.asp.
15
UNCLASSIFIED
UNCLASSIFIED
The Security Configuration Tool Set supports both a graphical user interface (GUI) and a
Security Configuration Tool Set
The graphical user interface is provided via the Microsoft Management Console (MMC).
The MMC is a container for administrative tools and is used extensively in Windows
2000. Tools are imported into the MMC via “snap-ins.”
In actuality, the Security Configuration Tool Set consists of two MMC snap-ins: Security
Templates and Security Configuration and Analysis. Both snap-ins will be discussed in
greater detail in this chapter and Chapter 10, respectively.
The security configuration GUI allows an administrator to:
Create and/or edit security configuration files
The GUI provides different colors, fonts, and icons to highlight the differences between
the baseline information and the actual system settings. When an analysis or
configuration is performed, all security areas within a security template are included in the
analysis.
The security configuration command line tool (secedit.exe) is all that is needed to:
Perform a security analysis
The command line option allows for analysis of individual security areas versus the entire
configuration file. Also, analysis results can be redirected to a file for review at a later
time. The command line tool is also useful for applying predefined configuration files to
many systems using distributed systems management tools.
Security Templates
Security templates are files that contain a set of security configurations. Templates
provide an easy way to standardize security across a platform or domain. They may be
applied to Windows 2000 computers either by being imported into a Group Policy Object,
or by being directly applied to the local computer policy.
This section provides a general overview of the Security Templates snap-in and
discusses the security configuration files included with the tool.
16
UNCLASSIFIED
UNCLASSIFIED
The Security Templates snap-in must be loaded into the Microsoft Management Console
(MMC). The MMC is loaded by default on Windows 2000 systems. To load the Security
Templates snap-in:
Run the Microsoft Management Console (mmc.exe)
17
UNCLASSIFIED
UNCLASSIFIED
Enter the file name under which the current console settings will be saved
Click Save
From then on, the console can be accessed from Start → Program Files →
Administrative Tools.
Security Configuration Tool Set
Chapter 2 – Introduction to the
This section describes the default and NSA security templates available for the Security
Templates snap-in.
Microsoft-provided Templates
Within the Security Templates snap-in, Microsoft provides several templates addressing
varying levels of security. Among these are basicwk.inf, basicdc.inf,
basicsv.inf, securedc.inf, securews.inf, hisecdc.inf, and
hisecws.inf. Since this guide’s recommended security settings are addressed in the
NSA-provided templates (see section below), the details of the Microsoft templates will
not be discussed here.
18
UNCLASSIFIED
UNCLASSIFIED
This section provides a general checklist of steps to be performed when customizing the
security templates included in this document.
Review and understand the warnings in Chapter 1. It is NOT recommended
that the NSA-provided templates be applied blindly without thoroughly
reviewing the settings in Chapters 3-9.
Backup your system, especially if it is a server or domain controller. Backups are
the only sure-fire way to restore your system if security configurations break
something.
Copy the appropriate configuration files included on the companion CD to the
template directory (%Systemroot%\Security\Templates). Review Table 2
to determine the necessary template file(s).
It is suggested that you make copies of the template files under different names if
you plan to perform modifications to the recommended settings. You can do this
prior to opening the files in the MMC, or by performing a Save As after making
modifications to the templates (see the above section on Editing Security
Configuration Files).
Several new security options have been added to the NSA templates. To make
these options available, copy the NSA sceregvl.inf file from the companion
CD into the %SystemRoot%\inf folder. You should rename the original copy of
sceregvl.inf prior to copying the NSA-provided file in case you need to revert
back to original configurations.
To register the new security options, from the command prompt run regsvr32
scecli.dll. The end of Chapter 4 discusses how other security options can be
added to the templates.
Review the recommended security settings in Chapters 3 – 9. Via the Security
Templates MMC snap-in, modify the template files according to your network’s
needs. Pay close attention to any notes or warnings associated with the
settings. To modify the templates:
19
UNCLASSIFIED
UNCLASSIFIED
Within the MMC, double-click on the Security Templates node in the left pane
Double-click the default configuration file directory
(%Systemroot%\Security\Templates). A list of available configuration
files is revealed.
Security Configuration Tool Set
Chapter 2 – Introduction to the
Once the templates have been customized to your network environment and
saved, apply the templates. If the template will be applied locally, see Chapter 10
for information on configuration options via the Security Configuration and
Analysis snap-in or the secedit.exe command line tool. If the template will be
imported into a Group Policy Object, please refer to the Guide to Securing
Microsoft Windows 2000 Group Policy.
If problems arise after applying the security templates to a system, troubleshooting may
be difficult if many settings were applied at once. First and foremost, try the settings out
in a test environment before applying to an operational network. Also try configuring one
section of the templates at a time via the command line secedit.exe tool (described
later) or by isolating specific sections in a separate inf file. This method will allow you to
apply one part of the templates (e.g. Account Policy or File System) and then test the
system for problems before moving onto the next section.
The only sure-fire way to restore a system to its original configuration is via a
backup. The setup security.inf file (mentioned earlier in this chapter) can be used
to reset most settings to their default (out-of-the-box) values. However, any settings
specified as “Not Defined” in the default template will not change the values configured
by the NSA templates.
.
20
UNCLASSIFIED
UNCLASSIFIED
Chapter
Templates
A key component of controlling the security in a Windows 2000 domain is the proper
setting of account policies. Depending on the type of system (e.g. domain controller,
workstation, member server), account policy configuration will impact the network
differently. In Windows 2000 domains, account policy is set and enforced in the
domain’s Group Policy. Attempts to configure domain account policies in other
GPOs are ignored. Configuring account policies directly on workstations and
member servers only impacts the local password or lockout policy on the machine.
To ensure a consistent password and lockout policy throughout the entire domain for
both local and domain logons, the same policy should be set on the domain controllers
(via the domain GPO), member servers and workstations. See the Guide to Securing
Microsoft Windows 2000 Group Policy for more information on importing security
templates into the appropriate containers.
To view account policy settings of a security template double-click the following in the
MMC:
Security Templates
Default configuration file directory (%SystemRoot%\Security\Templates)
Specific configuration file
Account Policies
NOTE: After making any modifications to the configuration
files make sure the changes are saved, and then test the
changes before installing them on an operational network.
Password Policy
Before making modifications to the Account Policy dialog box, review your
organization’s written password security policy. The settings made in the Account
Policy dialog box should comply with the written password policy. Users should read and
sign statements acknowledging compliance with the organizational computer policy.
Recommendations for a password policy include:
Users should never write down passwords
Passwords should be difficult to guess and include uppercase, lowercase,
special (e.g., punctuation and extended character set), and numeric characters
21
UNCLASSIFIED
UNCLASSIFIED
Users should not transmit clear-text passwords using any form of electronic
communications.
To modify the password policy settings via the Security Templates snap-in, double-click
Chapter 3 – Modifying Account
Policy Settings with Security
22
UNCLASSIFIED
UNCLASSIFIED
Templates
password. Already-existing passwords will not be affected.
Store password using reversible encryption for all users in the Disabled
domain
Determines whether user passwords will be stored using a two-way hash.
This option exists to provide password information to certain applications.
However, storing passwords with reversible encryption is similar to storing
clear-text passwords and should NOT be permitted.
23
UNCLASSIFIED
UNCLASSIFIED
Chapter 3 – Modifying Account
Policy Settings with Security
Templates
24
UNCLASSIFIED
UNCLASSIFIED
Account lockout is recommended after three invalid logon attempts. This setting will slow
down a dictionary attack in which thousands of well-known passwords are tried. If the
account is locked out after each invalid attempt to logon, the hacker must wait until the
Templates
click the following path:
Account Policies → Account Lockout Policy → specific option to view or edit settings
Table 4 lists the recommended account lockout policy settings.
Kerberos Policy
Kerberos is the default authentication method used in Windows 2000 Active Directory.
Since Active Directory is necessary for Kerberos authentication, the Kerberos policy only
has significance for the Windows 2000 domain Group Policy Object. Therefore, for the
standalone workstation and server configurations that this document addresses, the
Kerberos policies will not be defined.
25
UNCLASSIFIED
UNCLASSIFIED
To modify Kerberos settings via the Security Templates snap-in, double-click the
following path:
Account Policies → Kerberos Policy → specific option to view or edit settings
Chapter 3 – Modifying Account
Policy Settings with Security
Table 5 lists the Kerberos Policy options that should be applied at the domain group
policy level (in the provided Domain Policy.inf template).
Templates
26
UNCLASSIFIED
UNCLASSIFIED
Chapter
Templates
Templates
The Local Policies section in the Security Templates snap-in includes Audit Policy, User
Rights Assignment, and Security Options. To view local policy settings of a security
template, double-click the following in the MMC:
Security Templates
Default configuration file directory (%SystemRoot%\Security\Templates)
Specific configuration file
Local Policies
NOTE: After making any modifications to the configuration
files make sure the changes are saved and then test the
changes before installing them on an operational network.
Auditing Policy
Auditing is critical to maintaining the security of the domain. On Windows 2000 systems,
auditing is not enabled by default. Each Windows 2000 system includes auditing
capabilities that collect information about individual system usage. The logs collect
information on applications, system, and security events. Each event that is audited in an
audit policy is written to the security event log, which can be viewed with the Event
Viewer.
WARNING: Auditing can consume a large amount of
processor time and disk space. It is highly recommended
that administrators check, save, and clear audit logs
daily/weekly to reduce the chances of system degradation or
save audit logs to a separate machine. It is also
recommended that logs be kept on a separate partition.
To modify the audit policy settings via the Security Templates snap-in, double-click the
following path:
Local Policies → Audit Policy →
specific option to view or edit
Table 6 lists recommended Audit Policy Settings for domain controllers, member servers,
and workstations.
NOTE: Auditing is important on all domain machines,
workstations and servers alike. However, if operational
constraints do not make auditing on all machines possible,
at a minimum, auditing should be enabled on all servers.
27
UNCLASSIFIED
UNCLASSIFIED
Tracks changes to the Security Account database (i.e., when accounts are
created, changed, or deleted).
Audit directory service access No auditing
Audits users’ access to Active Directory objects that have their system access (workstations and
control list (SACL) defined. This option is similar to Audit Object Access except member servers)
that it only applies to Active Directory objects and not files and registry objects.
Since this option only applies to Active Directory, it has no meaning on Failure (domain
workstations and member servers. controllers)
28
UNCLASSIFIED
UNCLASSIFIED
User rights are allowable actions that can be assigned to users or groups to supplement
built-in abilities. Careful allocation of user rights can significantly strengthen the security
of a Windows 2000 system. The recommended user rights are listed and described in
Figure 3 and Table 7. Advanced user rights are assigned to Administrators or other
Templates
NOTE: Based on network policies, some users/groups may
need to be added or deleted from the recommended user
rights
To modify the user rights settings via the Security Templates snap-in, double-click the
following path:
Local Policies → User Rights Assignment
Right-click on the desired Attribute in the right frame
Select Security
To add a user or group, Add → Select user or group → Add → OK → OK
To remove a user or group, select user or group → Remove → OK
29
UNCLASSIFIED
UNCLASSIFIED
NOTE: By default,
Authenticated Users are
given this right on Domain
Controllers. Allowing users to
add their own machines to a
domain could pose security
risks. Therefore, it is
recommended that the
Authenticated Users group
not be granted this right.
30
UNCLASSIFIED
UNCLASSIFIED
Templates
be used to access local resources. Only the Local
Security Authority should be allowed to create this
object.
Create permanent shared objects (No one) (No one)
Allows a user to create special permanent
directory objects, such as \\Device, that are used
within the Windows 2000 object manager.
Debug programs (No one) (No one)
Allows a user to debug various low-level objects
such as threads.
Deny access to this computer from the (No one) (No one)
network
Prevents specific users and/or groups from
accessing the computer via the network. This
setting supercedes the “Access this computer
from the network” setting if an account is subject
to both policies.
Deny logon as a batch job (No one) (No one)
Prevents specific users and/or groups from
logging on as a batch job. This setting supercedes
the “Logon as a batch job” setting if an account is
subject to both policies.
Deny logon as a service (No one) (No one)
Prevents specific service accounts from
registering a process as a service. This setting
supercedes the “Log on as a service” setting if an
account is subject to both policies.
Deny logon locally (No one) (No one)
Prevents specific users and/or groups from
logging on directly at the computer. This setting
supercedes the “Log on locally” setting if an
account is subject to both policies.
Enable computer and user accounts to be (No one) Administrators (domain
trusted for delegation controllers)
Allows a user to set the “Trusted for Delegation”
setting on a user or computer object. The user (No one) (member servers)
granted this right must have write access to the
account control flags on the computer or user
object.
31
UNCLASSIFIED
UNCLASSIFIED
32
UNCLASSIFIED
UNCLASSIFIED
Templates
system PRIOR to applying the (No one) (No one)
security templates in order to
determine which assignments
are necessary.
WARNING: The provided
template files will remove all
users/groups from this right
unless you modify the
setting.
Log on locally
Allows a user to log on at a system’s console. To
allow a user to log on locally at a domain
controller, this right must be enabled in the
Domain Controller group policy object.
33
UNCLASSIFIED
UNCLASSIFIED
34
UNCLASSIFIED
UNCLASSIFIED
Templates
protecting objects.
Table 7 User Rights Options
Security Options
The Security Templates Security Option section contains many security parameters that
can be easily configured by adding or changing registry key values. Table 8 lists the
recommended settings. Customized security options added to the NSA templates are
shaded.
WARNING: Use the Security Configuration Tool Set when
configuring Security Options. Using the registry editor
incorrectly can cause serious, system-wide problems that
may require reinstallation of Windows 2000.
35
UNCLASSIFIED
UNCLASSIFIED
HKLM\System\CurrentControlSet\Control\Lsa\
RestrictAnonymous = 2
Allow Automatic Administrator Logon Disabled Disabled
Allows a system to automatically logon as administrator
when the machine is started. By default, this setting is
disabled.
NOTE: If this option was at one time
enabled, a DefaultPassword registry
value may also exist in the same
registry key. This value contains the
administrator password in clear text
and should be deleted.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon\AutoAdminLogon = 0
36
UNCLASSIFIED
UNCLASSIFIED
Templates
default, Administrators are able to schedule tasks.
Options are:
Disabled
Only allow Administrators to schedule tasks
Enabled
Allow Administrators and Server Operators to schedule
tasks
HKLM\System\CurrentControlSet\Services\Schedule = 0
Allow system to be shut down without having to log Disabled Disabled
on
On Windows 2000 Professional, a Shutdown button is
available in the Logon dialog box. When this option is
disabled, users must be able to log on to the system and
have the “Shut down the system” user right in order to
shutdown the computer. By default, this option is disabled
on servers.
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\System\ShutdownWithoutLogon = 0
Allowed to eject removable NTFS media Administrators Administrators
By default, only Administrators are allowed to eject
removable NTFS media. This setting allows for the
following options:
Administrators
Administrators and Power Users
Administrators and Interactive Users
HKLM\Software\Microsoft\Windows NT\
CurrentVersion\winlogon\AllocateDASD = 0
Amount of idle time required before disconnecting 30 minutes 30 minutes
session
Sets the amount of continuous idle time in a Server
Message Block (SMB) session before a session is
disconnected. If client activity resumes after a disconnect,
the session is automatically reestablished. Allowable
values are between 0 (Do not disconnect clients) and
99,999 minutes
HKLM\System\CurrentControlSet\Services\
LanManServer\Parameters\AutoDisconnect = 15
37
UNCLASSIFIED
UNCLASSIFIED
HKLM\System\CurrentControlSet\Control\Lsa\
AuditBaseObjects = 1
Audit use of Backup and Restore privilege Enabled Enabled
Enables auditing of all user rights in conjunction with
Audit Privilege Use auditing being enabled. If this option
is disabled, the Backup and Restore rights will not be
audited even if Audit Privilege Use is enabled.
HKLM\System\CurrentControlSet\Control\Lsa\
FullPrivilegeAuditing =1
Automatically log off users when logon time expires Not Defined Not defined
Causes client SMB sessions to be forcibly disconnected
when a user’s logon hours expire. This setting affects all
machines in a domain and should be set at the domain-
level group policy.
Automatically log off users when logon time expires Enabled Enabled
(local)
Causes client SMB sessions to be forcibly disconnected
when a user’s logon hours expire. This policy affects the
local machine on which it is applied.
HKLM\System\CurrentControlSet\Services\
LanManServer\Parameters\EnableForcedLogoff = 1
Clear virtual memory pagefile when system shuts Enabled Enabled
down
Wipes the system pagefile clean when Windows 2000
shuts down, ensuring that sensitive information that may
be in the pagefile is not available to malicious users.
When this option is enabled, it also causes the hibernation
file (hiberfil.sys) to be cleared when hibernation is
disabled on a laptop system.
HKLM\CurrentControlSet\Control\SessionManager\
MemoryManagement\ClearPageFileAtShutdown = 1
38
UNCLASSIFIED
UNCLASSIFIED
Templates
in-the-middle” and active message attacks.
HKLM\System\CurrentControlSet\Services\
LanmanWorkstation\Parameters\
RequireSecuritySignature = 0
Digitally sign client communication (when possible) Enabled Enabled
Enables an SMB client to perform digital packet signing
when communicating with an SMB server that also
supports packet signing. Digital signatures provide mutual
authentication during SMB exchanges, preventing “man-
in-the-middle” and active message attacks.
HKLM\System\CurrentControlSet\Services\
LanmanWorkstation\Parameters\
EnableSecuritySignature = 1
Digitally sign server communication (always) Disabled Disabled
Forces an SMB server to always digitally sign SMB
communications. Digital signatures provide mutual
authentication during SMB exchanges, preventing “man-
in-the-middle” and active message attacks.
HKLM\System\CurrentControlSet\Services\
LanmanServer\Parameters\RequireSecuritySignature = 0
Digitally sign server communication (when possible) Enabled Enabled
Enables an SMB server to perform digital packet signing
when communicating with an SMB client that also
supports packet signing. Digital signatures provide mutual
authentication during SMB exchanges, preventing “man-
in-the-middle” and active message attacks.
HKLM\System\CurrentControlSet\Services\
LanmanServer\Parameters\EnableSecuritySignature = 1
39
UNCLASSIFIED
UNCLASSIFIED
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableCAD = 0
Disable Media Autoplay All Drives All Drives
Autoplay reads from a drive as soon as it is inserted. By
default, Windows 2000 autoruns any CDROM that is
placed in the drive. This could allow executable content to
be run without any access to the command prompt.
Autoplay on floppy disks and network drives is disabled by
default. The options for this setting are:
CDROM drives
Disables autorun on CDROMs. Registry value =
0x00000095
All drives
Disables autorun on all media. Registry value =
0x000000FF
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\NoDriveTypeAutoRun = 0x000000FF
40
UNCLASSIFIED
UNCLASSIFIED
Templates
user names on the system, disallow display of the last
logon. This is especially important if a generally
accessible computer is being used for system
administration.
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DontDisplayLastUsername= 1
LAN Manager authentication level Send NTLMv2 Send NTLMv2
This parameter specifies the type of challenge/response response only\refuse response only\refuse
authentication to be used for network logons with non- LM & NTLM LM & NTLM
Windows 2000 Windows clients. LanManager
authentication (LM) is the most insecure method, allowing
encrypted passwords to be easily sniffed off the network
and cracked. NT LanManager (NTLM) is somewhat more
secure. NTLMv2 is a more robust version of NTLM and is
available with Windows NT 4.0 Service Pack 4 and higher
as well as Windows 95/98 with Directory Services Client.
The following options are available:
41
UNCLASSIFIED
UNCLASSIFIED
HKLM\System\CurrentControlSet\Control\Lsa\
LMCompatibilityLevel = 5
42
UNCLASSIFIED
UNCLASSIFIED
Templates
display a warning message that notifies potential users
that their use can be monitored and they can be held
legally liable if they attempt to use the computer without
proper authorization. The absence of such a notice could
be construed as an invitation, without restriction, to enter
and browse the system.
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\System\LegalNoticeText = "Text you want
displayed"
Message title for users attempting to log on <Configure locally - <Configure locally -
In conjunction with the Logon Text, it is recommended see Appendix for see Appendix for
that systems display a warning message title before sample> sample>
logon, indicating the private nature of the system.
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\System\LegalNoticeCaption = "Text you want
displayed on title bar"
Number of previous logons to cache (in case domain 0 logons 0 logons
controller is not available)
The default Windows 2000 configuration caches the last
10 logon credentials for users who log on interactively to a
system. This feature is provided for system availability
reasons such as the user’s machine being disconnected
from the network or domain controllers not being
available.
HKLM\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon\CachedLogonsCount = 0
Prevent system maintenance of computer account Disabled Disabled
password
By default, computer account passwords are changed
every seven days. Enabling this option prevents machines
from requesting a weekly password change.
HKLM\System\CurrentControlSet\Services\Netlogon\
Parameters\DisablePasswordChange = 0
43
UNCLASSIFIED
UNCLASSIFIED
HKLM\System\CurrentControlSet\Control\Print\Providers\
LanMan Print Services\Servers\AddPrinterDrivers = 1
Prompt user to change password before expiration 14 days 14 days
Sets how far in advance users are warned that their
passwords will expire.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon\PasswordExpiryWarning = 14
Recovery Console: Allow automatic administrative Disabled Disabled
logon
If this option is enabled, the Recovery Console will not
prompt for an administrator password and will
automatically log on to the system.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Setup\RecoveryConsole\SecurityLevel = 0
Recovery Console: Allow floppy copy and access to Disabled Disabled
all drives and folders
Enables the Recovery Console SET command, which
allows setting of console environment variables such as
AllowWildCards, AllowAllPaths, AllowRemovableMedia,
and NoCopyPrompt.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Setup\RecoveryConsole\SetCommand = 0
44
UNCLASSIFIED
UNCLASSIFIED
Templates
who is targeting the built-in Administrator account. When
choosing another name for this account, avoid obvious
names such as “admin” or “root,” which reveal the use of
the account. After renaming the account, it is
recommended that the default account description be
changed or deleted.
45
UNCLASSIFIED
UNCLASSIFIED
HKLM\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon\ AllocateCDRoms = 1
Restrict floppy access to locally logged on user only Enabled Enabled
By default, Windows 2000 allows any program to access
files on floppy drives. In a highly secure, multi-user
environment, it only allows interactive users to access
these devices. When operating in this mode, the floppy
disks are allocated to a user as part of the interactive
logon process. These devices are automatically
deallocated when the user logs off.
HKLM\Software\Microsoft\Windows NT\
46
UNCLASSIFIED
UNCLASSIFIED
Templates
secure channel data. A secure channel is created
between a system and its domain controller when the
system boots. By default, communications sent via the
secure channel are authenticated and sensitive
information, such as passwords, is encrypted, but the
channel is not integrity checked and not all information is
encrypted. This option will encrypt or sign all data passing
through the secure channel.
HKLM\System\CurrentControlSet\Services\Netlogon\
Parameters\RequireSignorSeal = 0
Secure channel: Digitally encrypt secure channel data Enabled Enabled
(when possible)
Enables a computer to digitally encrypt secure channel
data. See the explanation of secure channel
communication in the previous option.
HKLM\System\CurrentControlSet\Services\Netlogon\
Parameters\SealSecureChannel = 1
Secure channel: Digitally sign secure channel data Enabled Enabled
(when possible)
Enables a computer to digitally sign secure channel data.
See the explanation of secure channel communication in
the previous option.
HKLM\System\CurrentControlSet\Services\Netlogon\
Parameters\SignSecureChannel = 1
47
UNCLASSIFIED
UNCLASSIFIED
HKLM\System\CurrentControlSet\Services\Netlogon\
Parameters\RequireStrongKey = 0
Secure system partition (for RISC platforms only) Not defined Not defined
Restricts access of the RISC system partition (which is
FAT) to administrators only when the operating system is
running.
Send unencrypted password to connect to third-party Disabled Disabled
SMB servers
Some non-Microsoft SMB servers only support
unencrypted (plain text) password exchanges during
authentication. Check with the vendor of the SMB server
product to see if there is a way to support encrypted
password authentication, or if there is a newer version of
the product that adds this support.
HKLM\System\CurrentControlSet\Services\Rdr\
Parameters\EnablePlainTextPassword = 0
48
UNCLASSIFIED
UNCLASSIFIED
Templates
full log, an administrator must log onto the system and
clear the log.
HKLM\System\CurrentControlSet\Control\Lsa\
CrashOnAuditFail = 1
Smart card removal behavior Lock Workstation Lock Workstation
Determines the action taken when a smart card for a
logged-on user is removed from the smart card reader.
Options are:
No action
Lock Workstation
Users can remove their smart card, leave the area, then
return to their same session at a later time.
Force Logoff
Users are automatically logged off when the card is
removed.
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ScRemoveOption = 1
Strengthen default permissions of global system Enabled Enabled
objects (e.g., Symbolic Links)
Strengthens the DACLs on the global list of shared
system resources (such as DOS device names, mutexes,
and semaphores) so that non-administrative users can
read, but not modify shared objects they did not create.
HKLM\Software\CurrentControlSet\Session Manager\
ProtectionMode = 1
49
UNCLASSIFIED
UNCLASSIFIED
Unsigned driver installation behavior Warn but allow Warn but allow
Determines the action taken when a device driver that has installation installation
not been certified for Windows 2000 attempts to load.
Options are:
Silently succeed
HKLM\Software\Microsoft\Driver Signing\Policy = 1
Unsigned non-driver installation behavior Warn but allow Warn but allow
Determines the action taken when non-device driver installation installation
software that has not been certified for Windows 2000
attempts to load. Options are:
Silently succeed
HKLM\Software\Microsoft\Non-driver Signing\Policy = 1
Table 8 Security Options
Several settings should be configured at the domain-level group policy object. These are
configured in the “W2K Domain Policy.inf” template and are shown in Table 9.
In the Windows 2000 Security Configuration Tool Set, it is possible to add additional
registry key settings to the Security Options portion of a template. To accomplish this,
perform the following actions:
Open the file %SystemRoot%\inf\sceregvl.inf (%SystemRoot% is usually
C:\winnt) in Notepad, Wordpad, or another text editor
Add a line in the form regpath, type, displayname, displaytype where
regpath – registry key value path, e.g.,
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects
50
UNCLASSIFIED
UNCLASSIFIED
type – data type of the registry entry represented by a number. Possible
values are REG_SZ (1), REG_EXPAND_SZ (2), REG_BINARY (3),
REG_DWORD (4), REG_MULTISZ (7)
displaytype – How the interface will display the registry value type. Possible
Templates
Re-register scecli.dll by executing regsvr32 scecli.dll at a command
prompt
An example line in sceregvl.inf is:
MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ScRemoveOption,1,
%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2%
The strings listed above are defined in the [Strings] section of sceregvl.inf:
%ScRemove% = Smart card removal behavior
%ScRemove0% = No Action
%ScRemove1% = Lock Workstation
%ScRemove2% = Force Logoff
The deletion of customized security options is not as simple as removing the options from
the sceregvl.inf file and re-registering the DLL. To ensure that options are
permanently deleted from the templates, perform the following actions:
Open sceregvl.inf in a text editor (e.g. Notepad)
Delete the specific security option from the sceregvl.inf file under the
[Register Registry Values] section
Under the sceregvl.inf section labeled “delete these values from current
system,” add the registry key to be removed from the templates. For example,
taking the example used in the previous section, place
MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogo
n\ScRemoveOption under this section.
Save and close sceregvl.inf
At a command prompt, execute regsvr32 scecli.dll
To confirm that the option has been deleted, open the Security Templates snap-
in in the MMC and verify that the option no longer appears in the Local Policies →
Security Options section of the template files
To clean up, edit sceregvl.inf again, remove the entry added previously
under “delete these values from current system,” save and close the file, then run
regsvr32 scecli.dll again.
51
UNCLASSIFIED
This Page Intentionally Left Blank
UNCLASSIFIED
UNCLASSIFIED
52
Chapter 4 – Modifying Local
Policy Settings with Security
Templates
UNCLASSIFIED
Chapter
Event log settings that can be configured with the security templates include maximum
size, guest access, how long logs will be retained, and how the operating system handles
logs at the maximum size.
To modify Event Log Settings via the Security Templates, double-click the following path:
Event Log → Settings for Event Logs → specific option to view or edit
Table 10 lists recommended Event Log settings for the Application, Security, and System
logs.
53
UNCLASSIFIED
UNCLASSIFIED
54
UNCLASSIFIED
UNCLASSIFIED
Restore. If these options are enabled, large amounts of audit data will be generated,
requiring the logs to be cleared regularly.
If the system halts as a result of a full log, an administrator must restart the system and
clear the log.
NOTE: Before clearing the security log, save the data to disk.
After saving the log, use the registry editor (regedt32.exe) to modify the following
registry key value:
Hive: HKEY_LOCAL_MACHINE
Key: \System\CurrentControlSet\Control\Lsa
Name: CrashOnAuditFail
Type: REG_DWORD
Value: 1
NOTE: This value is set by the operating system just before
it crashes due to a full audit log. While the value is 2, only
the administrator can log on to the computer. This value
confirms the cause of the crash. Reset the value 1
55
UNCLASSIFIED
UNCLASSIFIED
Restricted Groups with Security
Chapter 6 – Managing
Templates
56
UNCLASSIFIED
UNCLASSIFIED
Chapter
Since the settings in the Restricted Groups option should be environment-specific, only
one restricted group setting is configured in the companion configuration (inf) files.
However, a site may need to restrict the membership of additional sensitive groups within
the domain.
To view restricted group settings of an SCM template double-click the following:
Security Templates
Default configuration file directory (%SystemRoot%\Security\Templates)
Specific configuration file
Restricted Groups
NOTE: After making any modifications to the configuration
files make sure the changes are saved and then test the
changes before installing them on an operational network.
The following steps describe how to add a restricted group to the list:
Right-click Restricted Groups
Select Add Group
Click the Browse button
57
UNCLASSIFIED
UNCLASSIFIED
Double-click each group that needs to be added and OK → OK
Double-click newly added group in the right frame
Restricted Groups with Security
Click Add
Chapter 6 – Managing
Double-click each group and/or user who wish to be members of the group
Click OK → OK
Templates
58
UNCLASSIFIED
UNCLASSIFIED
Chapter
Because of the broad nature of this area, system service configuration is environment-
specific. Services not listed in this option can be added. However, a new DLL attachment
will need to be created and attached. For more information on creating service
attachments, refer to the white paper Security Configuration Toolset
http://www.microsoft.com/windows2000/library/howitworks/security/sctoolset.asp .
To view system services settings of a security template double-click the following in the
MMC:
Security Templates
Default configuration file directory (%SystemRoot%\Security\Templates)
Specific configuration file
System Services
NOTE: After making any modifications to the configuration
files make sure the changes are saved, and then test the
changes before installing them on an operational network.
59
UNCLASSIFIED
UNCLASSIFIED
When finished entering the permissions, click OK
Under Select service startup mode, select Automatic, Manual, or Disabled
Figure 4 shows the System Services entries in the Security Templates snap-in.
Chapter 7 – Managing System Services
with Security Templates
If compromised, services may offer direct access to system resources or fall victim to
buffer overflows or denial of service attacks. Therefore, the proper configuration of
services is an important security step. Since services are environment and application
specific, no services are configured in this document. However, there are a few
guidelines to consider when configuring services:
Only run necessary services. For example, if the telnet service or FTP service is
running on a system, but not being used, disable them.
Ensure that only a limited number of users/groups can start, stop, or change a
service.
If a service is listed, but not needed, change the startup mode to Disabled
instead of Manual. This will ensure that the service cannot be restarted by an
unauthorized or malicious user.
60
UNCLASSIFIED
UNCLASSIFIED
When configuring either the startup mode or access control list for a service, you
must configure the other as well. When a service is explicitly disabled, its ACL
should also be secured by changing the default ACL from Everyone Full Control
to grant Administrators and SYSTEM Full Control and Authenticated Users Read
access.
61
UNCLASSIFIED
This Page Intentionally Left Blank
UNCLASSIFIED
UNCLASSIFIED
62
Chapter 8 – Modifying Registry Security
Settings with Security Templates
UNCLASSIFIED
Chapter
Inheritance model
Those who used the Security Configuration Manager with Windows NT 4.0 Service Pack
4 or higher may remember a new inheritance model with respect to registry and file
discretionary access control lists (DACLs), i.e., permissions. Windows 2000 and NTFS
version 5 implement the full functionality of this inheritance model. Within the new
inheritance model, permissions on child objects are automatically inherited from their
parent. This can be seen by the check in the Allow inheritable permissions from
parent to propagate to this object checkbox in the DACL editor. More permissions can
be explicitly defined for a child object in addition to those the child inherits from its parent.
When the checkbox is not checked, the DACLs defined on that object apply only to that
object and its children. No permissions are inherited from the parent object.
Registry permissions
63
UNCLASSIFIED
UNCLASSIFIED
Only Read and Full Control permissions appear in the permissions dialog box. However,
permissions may be set with more granularity by clicking the Advanced button. Table 11
shows a list of granular registry permissions. Table 12 shows which granular permissions
to select in order to achieve certain higher-level permissions.
Chapter 8 – Modifying Registry Security
Set Value Allows new values to be created for a key and old values to be overwritten
Query Value x x
Set Value x x
Create Subkey x x
Enumerate Subkeys x x
Notify x x
Create Link x
Delete x x
Write DAC x
Write Owner x
Read Control x x x
64
UNCLASSIFIED
UNCLASSIFIED
To modify the security settings on a particular registry key already specified in the
inf file:
In the right frame, double-click on the key to be changed
Ensure that the Configure this key then radio button is selected. Under this
option, there are two other options:
Propagate inheritable permissions to all subkeys – all subkeys that already
inherit permissions from the key being configured will inherit the new
permissions. This option will have no effect on subkeys that do not have
Allow inheritable permissions from parent to propagate to this object enabled
in their DACLs.
65
UNCLASSIFIED
UNCLASSIFIED
Chapter 8 – Modifying Registry Security
Settings with Security Templates
66
UNCLASSIFIED
UNCLASSIFIED
There are occasions where a specific registry key should retain its current security
settings. To ensure that parent keys do not propagate their new permissions down to
such registry keys, the object may be excluded from configuration.
Registry keys not explicitly listed below in Table 13 are assumed to inherit the
permissions of their parent key if they already have Allow inheritable permissions from
parent to propagate to this object checked in their DACL. Keys with “Ignore” selected are
explicitly excluded from security configuration and retain their original permissions.
In the table, the term “Propagate” indicates that the Propagate inheritable permissions to
all subkeys radio button should be enabled while “Replace” indicates that the Replace
existing permissions on all subkeys with inheritable permissions radio button should be
enabled.
In the domain controller security template, “W2K DC.inf,” all instances of the Users group
have been replaced with the Authenticated Users group.
67
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
REGISTRY KEY USER GROUPS
PERMISSIONS METHOD
CLASSES_ROOT\ Administrators Full Control Replace
CREATOR OWNER Full Control
Chapter 8 – Modifying Registry Security
68
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
REGISTRY KEY USER GROUPS
PERMISSIONS METHOD
\MACHINE\SOFTWARE\Microsoft\Windows \ Administrators Full Control Propagate
CurrentVersion\Policies Authenticated Users Read
SYSTEM Full Control
HKLM\SOFTWARE\Policies
HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies
HKCU\SOFTWARE\Policies
HKCU\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies
69
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
REGISTRY KEY USER GROUPS
PERMISSIONS METHOD
\MACHINE\SYSTEM\controlset008 Administrators Full Control Propagate
CREATOR OWNER Full Control
Chapter 8 – Modifying Registry Security
Users Read
\MACHINE\SYSTEM\controlset009 Administrators Full Control Propagate
CREATOR OWNER Full Control
Contains a control set that may be used to start (Subkeys only)
and run Windows 2000. SYSTEM Full Control
Users Read
\MACHINE\SYSTEM\controlset010 Administrators Full Control Propagate
CREATOR OWNER Full Control
Contains a control set that may be used to start (Subkeys only)
and run Windows 2000. SYSTEM Full Control
Users Read
\MACHINE\SYSTEM\CurrentControlSet\ Administrators Full Control Replace
Control\SecurePipeServers\winreg Backup Operators Read (Key only)
SYSTEM Full Control
The security permissions set on this key define
which users or groups can connect to the
system for remote registry access. If the key
does not exist, anyone can remotely connect to
the registry. It is highly recommended that only
administrators have remote access to the
registry.
WARNING: Microsoft
Exchange 2000 requires
remote registry access.
Therefore, on Exchange
servers and domain
controllers within the
domain, add the Exchange
Domain Servers group with
Full Control access on this
registry key.
70
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
REGISTRY KEY USER GROUPS
PERMISSIONS METHOD
\MACHINE\SYSTEM\CurrentControlSet\ Administrators Full Control Propagate
Hardware Profiles CREATOR OWNER Full Control
(Subkeys only)
71
UNCLASSIFIED
This Page Intentionally Left Blank
UNCLASSIFIED
UNCLASSIFIED
72
Chapter 8 – Modifying Registry Security
Settings with Security Templates
UNCLASSIFIED
Chapter
73
UNCLASSIFIED
UNCLASSIFIED
that folder (folders only). This permission only has meaning when the user
Traverse Folder/Execute File
has not been granted the Bypass Traverse Checking user right.
The Execute File permission allows a user to run program files (files only).
List Folder allows the reading of file names and subfolders within a folder
(folders only).
List Folder/Read Data
Read Data allows file data to be read (files only).
Read Attributes Allows viewing of a file’s NTFS attributes (e.g.,” Read only” or “Hidden”).
Allows viewing of a file’s extended attributes. Extended attributes may vary
Read Extended Attributes
as they are defined by specific programs.
Create Files allows the creation of files within a folder (folders only).
Create Files/Write Data
Write Data allows modification and/or overwriting of files (files only).
Create Folders allows the creation of folders within a folder (folders only).
Create Folders/Append Data
Append Data allows making changes to the end of file (files only).
Allows the modification of a file’s NTFS attributes (e.g., “Read only” or
Write Attributes
“Hidden”).
Write Extended Attributes Allows the modification of a file’s program-specific extended attributes.
Allows the deletion of subfolders and files regardless if the Delete
Delete Subfolders and Files
permission was granted on the subfolder or file.
Delete Allows deletion of a file or folder.
74
UNCLASSIFIED
UNCLASSIFIED
Folder Permissions:
List
Full Read &
Special Permissions Modify Folder Read Write
Control Execute
75
UNCLASSIFIED
UNCLASSIFIED
File Permissions:
Security Settings with Security Templates
The recommended changes to system files and folders are listed in Table 17.
The necessary changes can be made in one of two ways. The first method is to use the
Security Configuration Tool Set to apply the recommended file and folder permissions.
The alternative and more time-consuming method is to change permissions on each file
and folder manually.
To view file system settings of a security template select the following in the MMC:
Security Templates
Default file directory (%SystemRoot%\Security\Templates)
Specific configuration file
File System
To modify the security settings on a particular file or folder already specified in the inf
file:
In the right frame, double-click on the file or folder to be changed
76
UNCLASSIFIED
UNCLASSIFIED
Ensure that the Configure this file or folder then radio button is selected. Under
this option, there are two other options:
Propagate inheritable permissions to all subfolders and files – all subfolders
and files that already inherit permissions from the folder being configured will
77
UNCLASSIFIED
UNCLASSIFIED
Configure the permissions according to the steps detailed in the previous
Modifying permissions on a file or folder section
Security Settings with Security Templates
Chapter 9 – Modifying File System
There are occasions when a specific file or folder should retain its current security
settings. To ensure that parent folders do not propagate their new permissions down to
such files or folders, the object may be excluded from configuration.
To exclude an object:
In the right frame of File System, double-click on the file or folder to be changed
Click the Do not allow permissions on this file or folder to be replaced radio button
Click OK
Folders and files not explicitly listed below are assumed to inherit the permissions of their
parent folder. Folders with “Ignore” are explicitly excluded from security configuration and
retain their original permissions. The term “Replace” indicates that the Replace existing
permissions on all subfolders and files with inheritable permissions radio button should be
enabled while “Propagate” indicates that the Propagate inheritable permissions to all
subfolders and files radio button should be enabled. Figure 6 shows these options.
Unless otherwise noted, permissions are assumed to apply to all subfolders and files
below the configured folder.
NOTE: Several of the security settings listed below are based
on Microsoft’s high security template (hisecws.inf).
Microsoft chose to exclude several folders by setting the
“Ignore” attribute in order to maintain the default security
settings. However, it cannot be assumed that these default
settings have not been modified in the past. Therefore,
permissions have been set explicitly on most of these folders
to reflect what the default permissions should be. In such
cases, the “Propagate” option was selected.
In the domain controller security template, “W2K DC.inf,” all instances of the Users group
have been replaced with the Authenticated Users group.
78
UNCLASSIFIED
UNCLASSIFIED
79
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
FOLDER OR FILE USER GROUPS
PERMISSIONS METHOD
Security Settings with Security Templates
80
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
FOLDER OR FILE USER GROUPS
PERMISSIONS METHOD
%SystemDirectory%\repl\export Administrators Full Control Propagate
Replicator Read, Execute
Boot menu.
%SystemDrive%\config.sys Administrators Full Control Replace
c:\config.sys SYSTEM Full Control
Users Read, Execute
Initialization file for DOS applications.
%SystemDrive%\Documents and Settings Administrators Full Control Propagate
SYSTEM Full Control
Folder containing user and default profiles. Users Read, Execute
81
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
FOLDER OR FILE USER GROUPS
PERMISSIONS METHOD
Security Settings with Security Templates
82
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
FOLDER OR FILE USER GROUPS
PERMISSIONS METHOD
%SystemDrive%\io.sys Administrators Full Control Replace
SYSTEM Full Control
83
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
FOLDER OR FILE USER GROUPS
PERMISSIONS METHOD
Security Settings with Security Templates
84
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
FOLDER OR FILE USER GROUPS
PERMISSIONS METHOD
%SystemRoot%\SYSVOL\domain\Policies Administrators Full Control Propagate
(Domain Controllers only) Authenticated Users Read, Execute
85
UNCLASSIFIED
UNCLASSIFIED
RECOMMENDED INHERIT
FOLDER OR FILE USER GROUPS
PERMISSIONS METHOD
Security Settings with Security Templates
86
UNCLASSIFIED
UNCLASSIFIED
Chapter
10
and Analysis
Once the appropriate security templates have been modified, security analysis and
configuration can be performed via the Security Configuration and Analysis snap-in or
command line operations. This procedure should be conducted when applying a security
configuration to a local system. For instructions on importing security templates into
Group Policy, see the Guide to Securing Microsoft Windows 2000 Group Policy.
WARNING: Applying a secure configuration to a Windows
2000 system may result in a loss of performance and
functionality.
Loading the Security Configuration and Analysis snap-in into the MMC
To load the Security Configuration and Analysis snap-in into the MMC:
Run the Microsoft Management Console (mmc.exe)
Select Console → Add/Remove Snap-in
Click Add
Select Security Configuration and Analysis
Click Add
Click Close
Click OK
To avoid having to reload the snap-in every time the MMC is exited and reopened, save
the current console settings by performing the following:
In the Console menu, select Save. By default, the file will be saved in the
Administrative Tools menu of the currently logged-on user.
Enter the file name under which the current console settings will be saved
From then on, the console can be accessed from Start → Program Files →
Administrative Tools.
NOTE: More than one snap-in can be loaded into the MMC at
one time. E.g., the Security Templates and Security
Configuration and Analysis templates can both be loaded
into a console that is saved for future use.
87
UNCLASSIFIED
UNCLASSIFIED
The Security Configuration and Analysis snap-in uses a database to store settings for an
Configuration and Analysis
analysis or configuration. To open an existing database or new database while using the
Chapter 10 – Security
GUI:
In the MMC, right click on the Security Configuration and Analysis node
Select Open Database
Enter the name of an existing database or a new database
Click Open
NOTE: It is recommended that a new database be created for
each analysis and configuration coupling.
Configuration files may be imported into the database by executing the following
procedure:
If a new database name was entered when opening a database, user will
automatically be prompted to enter the configuration file to import. Otherwise:
Right click on the Security Configuration and Analysis node in the left pane of the
MMC
Select Import Template
In the Import Template dialog box, select the appropriate inf configuration file.
Check the Clear this database before importing box to remove any previous
settings stored in the database as illustrated in Figure 7.
NOTE: Import operations can append to or overwrite
database information that has been previously imported.
Appending is the default. If user does not want to combine
templates in a configuration, check the “Clear this database
before importing” checkbox to overwrite the current
database.
WARNING: To avoid confusion and accidental combining of
configurations, it is recommended that this option be
checked every time a new analysis or configuration is
performed.
Click Open
88
UNCLASSIFIED
UNCLASSIFIED
Parameter Description
/analyze Performs an analysis
/configure Performs a configuration
/cfg filename Path to a configuration file that will be appended to the database prior to
performing the analysis
/db filename Path to the database that secedit will perform the analysis against. If this
parameter is not specified, the last configuration/analysis database is used.
If there is no previous database,
%SystemRoot%\Security\Database\secedit.sdb is used.
NOTE: It is recommended that a new database be
created for each analysis and configuration coupling.
/log LogPath Path to log file for the process. If not provided, progress information is
output to the console.
NOTE: Log information is appended to the specified log
file. User must specify a new file name if a new log file
is to be created.
89
UNCLASSIFIED
UNCLASSIFIED
Parameter Description
/quiet Suppress screen and log output
/overwrite Overwrite the named database with the given configuration information.
NOTE: Configuration files can be appended to or
Configuration and Analysis
/areas Areas Only relevant when using the /configure switch. Specifies the security
areas to be processed. The following areas are available:
SECURITYPOLICY - Local policy and domain policy for the system,
including account policies, audit policies, etc.
GROUP_MGMT - Restricted Group settings
USER_RIGHTS - User rights assignments
DSOBJECTS - Security on directory objects
REGKEYS - Security permissions on local registry keys
FILESTORE - Security permissions on local file system
SERVICES - Security configuration for all defined services
Parameter Description
/export Exports a stored template from a security database to a security template
file
/refreshpolicy {machine_policy Refreshes system security by reapplying the security settings to the Group
| user_policy} {/enforce} Policy object (or Local Group Policy Object). The parameters available
with this option are:
machine_policy – reapply machine-related settings; this option will be most
used for security settings since the recommended settings are machine-
specific
user_policy – reapply user-related settings
/enforce – reapply settings regardless of whether they have changed
/validate <filename> Validates the syntax of a template to be imported into a database for
analysis or configuration
A security analysis is performed against a database. The configuration file(s) that have
been imported into the database define the baseline for the analysis. Security settings
within the configuration file(s) are compared to the current system security settings, and
the results are stored back into a database. The baseline settings are presented
alongside the current system settings. Configuration information can be modified as a
90
UNCLASSIFIED
UNCLASSIFIED
result of the analysis. The modified configuration information can be exported into a
configuration file for subsequent use.
To perform a security analysis via the command line, execute the following in a CMD
prompt window:
and Analysis
output will be written to the screen.
Figure 8 shows a sample result of a security analysis via the Security Configuration and
Analysis snap-in. The following steps should be followed to perform a security analysis
via the GUI:
Right-click on the Database node
Select Analyze Computer Now…
In the Perform Analysis dialog box, enter the error log file path.
NOTE: Log information is appended to the specified log file.
A new file name must be specified if a new log file is to be
created.
Click OK
91
UNCLASSIFIED
UNCLASSIFIED
Configuration and Analysis
Chapter 10 – Security
Configuring a System
During configuration, errors may result if specific files or registry keys do not exist on the
system, but exist in the inf configuration file. Do not be alarmed. The inf files attempt
to cover many different scenarios and configurations that your system may or may not
match.
To configure all of the available security options at one time via the command line:
secedit /configure [/cfg filename] [/db filename] [/log
LogPath] [/verbose] [/quiet] [/overwrite] [/areas Areas]
WARNING: Failure to enter a new database name each time a
configuration is made or specify the /overwrite option may
result in unpredictable behavior by secedit. For example,
imported configuration files could get merged with other files
and report unexpected analyses.
Following is an example of using the command line tool to configure only specific security
areas:
secedit /configure /cfg “W2K workstation.inf” /db newdb.sdb
/log logfile.txt /overwrite /areas REGKEYS FILESTORE
92
UNCLASSIFIED
UNCLASSIFIED
This example will import the “W2K workstation.inf” file system and registry
permission security settings and configure the local system.
The following steps should be followed to configure a system using the Security
and Analysis
In the Configure System dialog box, enter the error log file path.
NOTE: Log information is appended to the specified log file.
A new file name must be specified if a new log file is to be
created.
Click OK
NOTE: When a system is configured via the GUI, all settings
in the template are applied. There is no option, as with
secedit.exe, to specify that only parts of the template, e.g. file
permissions or account policies, are to be applied.
93
UNCLASSIFIED
UNCLASSIFIED
Configuration and Analysis
Chapter 10 – Security
94
UNCLASSIFIED
UNCLASSIFIED
Appendix
A
Example Logon Banner
The DoD uses a standard warning banner that can be downloaded from the United
Appendix A – Example
States Navy INFOSEC Web Information Service http://infosec.nosc.mil/infosec.html.
Select the text under the United States Department of Defense Warning Statement and
Logon Banner
copy it to the clipboard. This banner should resemble the following message:
“This is a Department of Defense computer system. This computer system, including all
related equipment, networks, and network devices (specifically including Internet access),
is provided only for authorized U. S. Government use. DoD computer systems may be
monitored for all lawful purposes, including to ensure that their use is authorized, for
management of the system, to facilitate protection against unauthorized access, and to
verify security procedures, survivability, and operational security. Monitoring includes
active attacks by authorized DoD entities to test or verify the security of this system.
During monitoring, information may be examined, recorded, copied, and used for
authorized purposes. All information, including personal information, placed on or sent
over this system may be monitored. Use of this DoD computer system, authorized or
unauthorized, constitutes consent to monitoring of this system. Unauthorized use may
subject you to criminal prosecution. Evidence of unauthorized use collected during
monitoring may be used for administrative, criminal or adverse action. Use of this system
constitutes consent to monitoring for these purposes."
Windows 2000 displays a message box with a caption and text that can be configured
before a user logs on to the machine. The DoD requires organizations to use this
message box to display a warning that notifies users that they can be held legally liable if
they attempt to log on without authorization to use the computer. The absence of such a
notice could be construed as an invitation, without restriction, to log on to the machine
and browse the system.
95
UNCLASSIFIED
UNCLASSIFIED
Appendix
B
Appendix B - References
References
Ackerman, Pilar, et. al., Microsoft Windows 2000 Professional Resource Kit, Redmond,
Washington: Microsoft Press, 2000.
Bartock, Paul, Julie Haney, et. al., Guide to Securing Microsoft Windows NT Networks version
4.1, National Security Agency, September 2000.
“How to Use the RestrictAnonymous Registry Value in Windows 2000,” KB article Q246261
http://support.microsoft.com/support/kb/articles/Q246/2/61.asp,
Microsoft, 2000.
McLean, Ian, Windows 2000 Security Little Black Book, Scottsdale, Arizona: Coriolis Group,
2000.
“OFF2000: ‘Installation Ended Prematurely Because of an Error’ When You Run Office Setup,”
KB article Q230895 http://support.microsoft.com/support/kb/articles/Q230/8/95.asp,
Microsoft, 2000
Russel, Charlie and Sharon Crawford, Microsoft Windows 2000 Server Administrator’s
Companion, Redmond, Washington: Microsoft Press, 2000.
96
UNCLASSIFIED
UNCLASSIFIED
97
UNCLASSIFIED